dcrat | 984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331

General

Target

984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
Size

783KB
MD5

2182bd1be840a69475bbc68f9d607072
SHA1

c887cf077e1c295f3bafa10296866be598ac55f1
SHA256

984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331
SHA512

33dd27d5fac2a04c715b41e5b3f44df5aadde09d1f15d3a8892f0816f667871be98b1d6930ae513f0ed4095c8050a71db3aa51186b99bb671fd8ad33fc30fcb8
SSDEEP

12288:mqnOYxdAgpoNeF91rg5iFdr0yQ9gYx+EIpakCYJRU7Q9bWoFzqK:m+OQbpbgsFdAyQvzSqaq8q

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	864	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	864	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	864	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	864	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	864	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	864	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	864	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	864	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	864	schtasks.exe	83

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3640-1-0x0000000000830000-0x00000000008FA000-memory.dmp	dcrat
behavioral2/files/0x0007000000023ca6-34.dat	dcrat
behavioral2/files/0x0008000000023cae-96.dat	dcrat
behavioral2/files/0x0007000000023cbb-161.dat	dcrat
behavioral2/memory/644-163-0x0000000000440000-0x000000000050A000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe

Executes dropped EXE 1 IoCs

pid	Process
644	dwm.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\PerfLogs\\unsecapp.exe\""	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\DigitalLocker\\en-US\\SppExtComObj.exe\""	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\Groupinghc\\dwm.exe\""	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\LiveKernelReports\\Registry.exe\""	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\spoolsv.exe\""	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Windows\\System32\\themecpl\\MusNotification.exe\""	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331 = "\"C:\\Recovery\\WindowsRE\\984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe\""	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\mtxoci\\dllhost.exe\""	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\lpremove\\RuntimeBroker.exe\""	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\System32\lpremove\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
File created	C:\Windows\System32\mtxoci\5940a34987c99120d96dace90a3f93f329dcad63	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
File opened for modification	C:\Windows\System32\lpremove\RCXA903.tmp	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
File opened for modification	C:\Windows\System32\Groupinghc\dwm.exe	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
File opened for modification	C:\Windows\System32\mtxoci\RCXB947.tmp	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
File opened for modification	C:\Windows\System32\themecpl\RCXAD7A.tmp	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
File opened for modification	C:\Windows\System32\Groupinghc\RCXB463.tmp	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
File created	C:\Windows\System32\Groupinghc\dwm.exe	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
File opened for modification	C:\Windows\System32\themecpl\MusNotification.exe	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
File created	C:\Windows\System32\lpremove\RuntimeBroker.exe	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
File created	C:\Windows\System32\themecpl\MusNotification.exe	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
File created	C:\Windows\System32\themecpl\aa97147c4c782d4a77c6b7822ef5383b917e6cfb	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
File created	C:\Windows\System32\Groupinghc\6cb0b6c459d5d3455a3da700e713f2e2529862ff	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
File created	C:\Windows\System32\mtxoci\dllhost.exe	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
File opened for modification	C:\Windows\System32\lpremove\RuntimeBroker.exe	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
File opened for modification	C:\Windows\System32\mtxoci\dllhost.exe	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\LiveKernelReports\Registry.exe	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
File opened for modification	C:\Windows\LiveKernelReports\Registry.exe	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
File created	C:\Windows\LiveKernelReports\ee2ad38f3d43822fe0c92830b00d06adc71395d2	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
File created	C:\Windows\DigitalLocker\en-US\SppExtComObj.exe	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
File created	C:\Windows\DigitalLocker\en-US\e1ef82546f0b02b7e974f28047f3788b1128cce1	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXA691.tmp	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RCXB1F1.tmp	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\SppExtComObj.exe	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
116	schtasks.exe
3672	schtasks.exe
2028	schtasks.exe
2996	schtasks.exe
2288	schtasks.exe
2920	schtasks.exe
3420	schtasks.exe
1788	schtasks.exe
4940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
3640	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
3640	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
3640	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
3640	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
3640	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
3640	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
3640	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
3640	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
3640	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
3640	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
3640	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
3640	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
3640	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
3640	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
3640	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
3640	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
3640	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
3640	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
3640	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3640	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
Token: SeDebugPrivilege	644	dwm.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 644	3640	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe	96
PID 3640 wrote to memory of 644	3640	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe	96

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe
"C:\Users\Admin\AppData\Local\Temp\984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3640
- C:\Windows\System32\Groupinghc\dwm.exe
  "C:\Windows\System32\Groupinghc\dwm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\lpremove\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\WinMSIPC\Server\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Windows\System32\themecpl\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\PerfLogs\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\Groupinghc\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\mtxoci\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\unsecapp.exe

Filesize
783KB

MD5
2182bd1be840a69475bbc68f9d607072

SHA1
c887cf077e1c295f3bafa10296866be598ac55f1

SHA256
984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331

SHA512
33dd27d5fac2a04c715b41e5b3f44df5aadde09d1f15d3a8892f0816f667871be98b1d6930ae513f0ed4095c8050a71db3aa51186b99bb671fd8ad33fc30fcb8

Download Submit
C:\Recovery\WindowsRE\984ab793faaa2379ee819842806aab13c7e1634736b4db55289f48c78731c331.exe

Filesize
783KB

MD5
346b613724ce0d309f2e17d7d7a3c9c1

SHA1
b5ac7de972b9328c83a0203b341f7e2660d394d4

SHA256
cc010a5b4f9bd197fb99ce2bbbca53398f5774997ebf042146c1f61ce2d52d8a

SHA512
b40c93d58204d77e26b98e8dfc80703e9809ffde0f82b739fb2f5efa6e5a2750be6e5e192a3e7410358d2b9b3ea226d99445578a69a5a31749b4e4db28fb4090

Download Submit
C:\Windows\System32\Groupinghc\dwm.exe

Filesize
783KB

MD5
5fa6b3cf59a98abe425bf5cff9d1e927

SHA1
eedee72d5be0c815d72d1b3365f16a2c49e5d6f7

SHA256
c6cd1d57680fc721c634bc0c78b82fcf18e11d4a874959d2dcc55f6c5b3523d1

SHA512
a220ebeabc8c4c7bd80dc18c66546eeb74f8223bf65abc1c308ed0794879fa57f8bbfb8b544501e21afa952d01a03f2fd18f37e9abb209fb97f57f9255607bba

Download Submit
memory/644-163-0x0000000000440000-0x000000000050A000-memory.dmp

Filesize
808KB

Download
memory/3640-19-0x000000001B460000-0x000000001B468000-memory.dmp

Filesize
32KB

Download
memory/3640-22-0x000000001B4A0000-0x000000001B4A8000-memory.dmp

Filesize
32KB

Download
memory/3640-7-0x0000000002AC0000-0x0000000002ACC000-memory.dmp

Filesize
48KB

Download
memory/3640-9-0x0000000002AD0000-0x0000000002ADA000-memory.dmp

Filesize
40KB

Download
memory/3640-11-0x000000001B410000-0x000000001B418000-memory.dmp

Filesize
32KB

Download
memory/3640-10-0x0000000002AE0000-0x0000000002AE8000-memory.dmp

Filesize
32KB

Download
memory/3640-8-0x0000000002AF0000-0x0000000002AFA000-memory.dmp

Filesize
40KB

Download
memory/3640-4-0x0000000002A60000-0x0000000002A68000-memory.dmp

Filesize
32KB

Download
memory/3640-12-0x0000000002AA0000-0x0000000002AA8000-memory.dmp

Filesize
32KB

Download
memory/3640-13-0x0000000002B00000-0x0000000002B08000-memory.dmp

Filesize
32KB

Download
memory/3640-14-0x000000001B3F0000-0x000000001B3F8000-memory.dmp

Filesize
32KB

Download
memory/3640-16-0x000000001B420000-0x000000001B428000-memory.dmp

Filesize
32KB

Download
memory/3640-0-0x00007FFDD3503000-0x00007FFDD3505000-memory.dmp

Filesize
8KB

Download
memory/3640-21-0x000000001B490000-0x000000001B49C000-memory.dmp

Filesize
48KB

Download
memory/3640-20-0x000000001B480000-0x000000001B488000-memory.dmp

Filesize
32KB

Download
memory/3640-6-0x0000000002A90000-0x0000000002A98000-memory.dmp

Filesize
32KB

Download
memory/3640-18-0x000000001B430000-0x000000001B438000-memory.dmp

Filesize
32KB

Download
memory/3640-17-0x000000001B450000-0x000000001B458000-memory.dmp

Filesize
32KB

Download
memory/3640-15-0x000000001B400000-0x000000001B408000-memory.dmp

Filesize
32KB

Download
memory/3640-25-0x00007FFDD3500000-0x00007FFDD3FC1000-memory.dmp

Filesize
10.8MB

Download
memory/3640-26-0x00007FFDD3500000-0x00007FFDD3FC1000-memory.dmp

Filesize
10.8MB

Download
memory/3640-31-0x00007FFDD3500000-0x00007FFDD3FC1000-memory.dmp

Filesize
10.8MB

Download
memory/3640-5-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/3640-90-0x00007FFDD3503000-0x00007FFDD3505000-memory.dmp

Filesize
8KB

Download
memory/3640-3-0x0000000002A50000-0x0000000002A58000-memory.dmp

Filesize
32KB

Download
memory/3640-103-0x00007FFDD3500000-0x00007FFDD3FC1000-memory.dmp

Filesize
10.8MB

Download
memory/3640-2-0x00007FFDD3500000-0x00007FFDD3FC1000-memory.dmp

Filesize
10.8MB

Download
memory/3640-1-0x0000000000830000-0x00000000008FA000-memory.dmp

Filesize
808KB

Download
memory/3640-165-0x00007FFDD3500000-0x00007FFDD3FC1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads